Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From Setup Eval
Runs a deep security audit of the Claude Code setup with deterministic checks (prompt injection, credential access, etc.) and LLM-based semantic review. Use for security audits or pre-deployment checks.
How this skill is triggered — by the user, by Claude, or both
Slash command
/setup-eval:setup-eval-securityThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Deep security audit combining deterministic checks with semantic analysis. Two stages: fast pattern-based scanning, then qualitative review of flagged components.
Deep security audit combining deterministic checks with semantic analysis. Two stages: fast pattern-based scanning, then qualitative review of flagged components.
Before doing anything else, ask the user:
Where should i present the results?
- Terminal - print the report here in the conversation
- File - write a markdown report to a file (you'll choose the path)
Wait for their answer before proceeding.
Determine the setup path. If the user doesn't specify one, use the current working directory.
uv run python skills/setup-eval-security/scripts/run_security_scan.py <setup-path>
If the user has a ~/.claude/ directory, pass it as the second argument:
uv run python skills/setup-eval-security/scripts/run_security_scan.py <setup-path> ~/.claude
Read the JSON output. Note which checks were skipped and why.
For every component that has security findings, read the actual file content. You need the real content for the semantic review.
Read rubric/security-review-rubric.md for the review criteria and output format.
For each component, answer the 4 security checks from the rubric. Prioritize components with deterministic findings, but check all components. Use the exact format specified in the rubric (CLEAN/FLAG per check, with evidence).
Read report-format.md and format the combined results following that structure.
Include:
At the very end of the report, include the exact timing:
Evaluated with: setup-eval v{version} (claude-code-plugin)
Duration: [X minutes Y seconds]
Get {version} by running: uv run python -c "import importlib.metadata; print(importlib.metadata.version('setup-eval'))"
Record the timestamp of your first tool call in Step 2 and compute the exact difference when you finish.
Blocks Edit/Write/Bash actions until Claude investigates importers, data schemas, and user instructions. Improves output quality by forcing concrete facts before edits.
npx claudepluginhub redhat-community-ai-tools/harness-eval-lab --plugin setup-eval